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(54) Method and apparatus for a key-management scheme for Internet protocols. 



(57) A first data processing device (node I) is cou- 
pled to a private network which is in turn coupled to the 
Internet. A second data processing device (node J) is 
coupled to the same, or to a different network, which is 
also coupled to the Internet such that node I communi- 
cates to node J using the Internet protocol. Node I is pro- 
vided with a secret value i, and a public value a' mod p. 
Node J is provided with a secret value j, and a public 
value d mod p. Data packets (referred to as "datagrams") 
are encrypted to enhance network security. A source 

FIG. 1 
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node I obtains a Diffie-Helman (DH) certificate for node 
J, and obtains node J's public value oi mod p from the 
DH certificate. Node I then computes the value of mod 
& and derives a key Kg from the value ofl mod p. A tran- 
sient key Kp is then generated at random, and Kp is used 
to encrypt the datagram to be sent by node I. Kp is then 
encrypted with key Ky. Upon receipt of the encrypted dat- 
agram by the receiving node J, the node J obtains a DH 
certificate for node I, and obtains the public value al mod 
P 
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Description 

BACKGROUND OF THE INVENTION 

1. Field pf the Invention: 

The present invention relates to the field of key man- 
agement schemes, and more particularly, the present 
invention relates to a key management scheme for Inter- 
net working protocols to provide additional security at the 
network layer. 

2. Art Background ! 

The Internet comprises a spiderweb of connected 
networks which criss-cross the globe and permit users 
to send and receive data packets between computers. 
Although many of the computers coupled to the Internet 
are disposed at fixed locations, portable computer sys- 
tems may be physically moved from one location on a 
network to another. Wireless links coupling the comput- 
ers to the Internet including direct satellite links, also 
allow users to access the Internet from remote areas. As 
a result of the dramatic increase in the use of the Internet 
throughout the world, concerns regarding network secu- 
rity naturally arise. 

A variety of schemes have been proposed to 
increase security on the Internet and a number of these 
schemes have been adopted. For example, encryption 
and authentication procedures known as Privacy 
Enhanced Mail (PEM) provide for enhanced privacy in 
electronic mail re-main services over the Internet Addi- 
tionally, schemes for utilizing PEM for secure remote 
user authentication have also been proposed. (See, for 
example. U.S. Patent Application Serial No. 08/253,802, 
filed June 3, 1994, entitled "Method and Apparatus for 
Secure Remote User Authentication in a Public Net- 
work", assigned to the Assignee of this patent applica- 
tion, Sun Microsystems, Inc., and hereby incorporated 
fully by reference.) 

However, even if a remote user has been authenti- 
cated, there still exists the possibility that an intruder 
(herein referred to as a "cracker) may mount an active 
attack to interject himself in data transfers across the 
Internet Although a user may incorporate a scheme for 
secure remote user authentication prior to login, a 
cracker may sever one of the authenticated parties from 
the Internet connection, and receive and transmit substi- 
tute data packets to the other unwitting party (or poten- 
tially to both parties). Once the Internet connection is 
established, data packets are sent over the network in 
the clear. For example, a cracker may interject himself 
between, for example, a user "A" in communication with 
a user "B" on the Internet, and issue a disconnect com- 
mand to user A. Upon receipt of the disconnect com- 
mand from the cracker, user A believes that user B has 
severed the connection. The cracker may then take over 
the communication established with user B, such that 
user B does not know that user A is not sending him data 



packets. Thus, a number of security issues exist when 
sending data over the Internet including a cracker's abil- 
ity to monitor data packets in the clear and to interject 
himself in the communication line such that he may 
5 receive and send data packets to unwitting users. It is, 
therefore, advantageous to put authenticity and privacy 
features at the network layer on the Internet However, 
the majority of the privacy and authentication protocols 
which have been proposed provide session oriented key 
10 management schemes. Unfortunately, many of the com- 
monly used network layer protocols (for example IP) are 
session-less datagram oriented protocols. 

The present invention provides a key management 
scheme that is particularly well suited for use in conjunc- 
15 tion with session-less datagram protocols (herein 
referred to as the "SKIP" scheme), such as the Internet 
protocols, and the proposed replacement candidates 
known as Connectionless Network Layer Protocol 
CCLNP") and Simple Internet Protocol Pblymodal 
20 fSIPP"). The present invention's key management 
scheme prevents crackers from monitoring the transfer 
of data in the clear over the Internet by encrypting every 
data packet 

As will be described, the present invention utilizes 
25 the teachings of SKIP for securing traffic at the IP layer, 
which has advantages ever performing security func- 
tions at the application or transport layers. The approach 
of the present invention is to encrypt inter-site traffic at 
the IP layer using the SKIP scheme, and thereby deny a 
30 would be cracker from detecting the source and destina- 
tion addresses of the communicating nodes. To minimize 
the impact of providing key-management facilities in 
every node, the present invention encrypts the IP pack- 
ets from site firewall to site firewall. Thus, only the firewall 
35 servers need to participate in the SKIP scheme. When 
a firewall receives an IP packet from an interior site node 
intended for a remote firewall, it encrypts the IP packet 
and sends it encapsulated in another IP packet destined 
for the remote firewall. The remote firewall decrypts the 
40 encapsulated packet and sends it in the clear to the des- 
tination node on the interior side of the remote firewall. 

Another common network security requirement is to 
allow remote users to access the protected networkfrom 
across the Internet in a secure fashion. As will be 
45 described, the present invention accommodates this 
requirement on top of packet layer encryption, without 
requiring changes to the various client applications used 
for remote access across the Internet 

*> SUMMARY OF THF [NVENTlOjj 

The present invention provides a key management 
scheme that is particularly suited to connectionless dat- 
agram protocols, such as the Internet protocol (IP). A first 
55 data processing device (node 0 is coupled to a private 
networkwhichisinturncoupledtothe Internet A second 
data processing device (node J) is coupled to the same, 
or to a different network, which is also coupled to the 
Internet, such that node I communicates to node J using 



2 



3 



EP0 693 836A1 



4 



the Internet protocol. Node I is provided with a secret 
value i. and a public value at mod p. Node J is provided 
with a secret value j, and a public value ai mod p. Data 
packets (referred to as "datagrams") are encrypted using 
the teachings of the present invention to enhance net- 5 
work security. A source node I obtains a Diffie-Helman 
(DH) certificate for node J (either from a local cache, from 
a directory service, or directly from node J), and obtains 
node J's public value d mod p from the DH certificate. 
Node I then computes the value of a* mod p, and derives 10 
a key Kg from the value a* mod p. Atransient key Kp Is 
generated at random and is used to encrypt the data- 
gram to be sent by node I. The key Kp is used for a con- 
figurable number of bytes, which is the maximum number 
of bytes the node will decrypt using Kp. Kp is then 15 
encrypted with key Kg. Upon receipt of the encrypted dat- 
agram by the receiving node J, the node J obtains a DH 
certificate for node I (either from a local cache, from a 
directory service or directly from node J) and obtains the 
public value al mod p. Node J then computes the value 20 
of a$ mod p and derives the toy Kg. Node J utilizes the 
key Ky to decrypt the transient key Kp, and using the 
decrypted transient key Kp, node J decrypts the data- 
gram packet thereby resulting in the original data in 
unencrypted form. Accordingly, both the protocol and 25 
computational overhead of the present invention is low, 
changing packet encrypting keys requires no communi- 
cation between sending and receiving nodes, and no 
establishment of a pseudo-session state between the 
two sides is required. The present invention may also be 30 
used in conjunction with datagram multi-cast protocols 
allowing a single encrypted datagram to be multi-cast to 
numerous receiving nodes coupled to the Internet 

The present invention further provides an applica- 
tion of the SKIP key management scheme for encryption ss 
of Internet Protocol (IP) data packets between site fire- 
walls. In this embodiment, the present invention includes 
a first data processing device (node I) coupled to a first 
private network and to a firewall server (FWA). Firewall 
server FWA is in turn coupled to a public network, such 40 
as the Internet. A second data processing device (node 
J) is coupled to a second private network which is cou- 
pled to the Internet through a firewall server (FWB). Node 
I provides a data packet including IP data and a destina- 
tion address for the intended receiving computer node J, 45 
to firewall FWA. Firewall FWA is provided with a secret 
value a, and a public value a* mod p. Similarly, firewall 
FWB is provided with a secret value b and a public value 
a 6 mod p. The firewall FWA obtains a Diffie-Hellman 
(DH) certificate for firewall FWB and determines the pub- so 
lie value ot> mod p from the DH certificate. Firewall FWA 
then computes the value of a®** mod p, and derives a key 
Kab from the value a?° mod p. A transient toy Kp is gen- 
erated randomly and is configured for use with a prede- 
termined number of data packets. Kp is used to encrypt ss 
the data packet to be transmitted by firewall FWA to fire- 
wall FWB. The encrypted data packet is then encapsu- 
lated in a transmission packet by the firewall FWA. The 
transmission packet includes an unencrypted destina- 



tion address for the firewall FWB. Firewall FWA then 
sends the transmission packet to firewall FWB over the 
internet Upon receipt of the transmission packet from 
firewall FWA, firewall FWB obtains a DH certificate for 
firewall FWA, and determines the public value of or 3 mod 
p from the DH certificate. Firewall FWB computes the 
value of cr* mod p, and derives the key Firewall B 
utilizes the key K^ to decrypt the transient key Kp. and 
using the decrypted transient key Kp, firewall FWB 
decrypts the encrypted data packet received from FWA. 
thereby resulting in the recovery of the original data sent 
by node I in unencrypted form to the firewall FWA. The 
firewall FWB then transmits the decrypted data packet 
to the receiving node J over the second private network. 
Accordngly, data packets sent within each of the private 
networks coupled are transmitted in an unencrypted 
form, however, all transmissions of data between fire- 
walls over the Internet are encrypted using the teachings 
of the present invention prior to transmission. The 
present invention may also be used in conjunction with 
a remote user operating with dynamically assigned IP 
addresses. In the case of a mobile or remote user utiliz- 
ing a public network address, only the IP data is 
encrypted utilizing the teachings of the present invention 
such that the public address and firewall destination 
addresses are sent in the clear over the Internet 

BRIEF DESCRIPTION OF THE DRAWIMf^ 

Figure 1 illustrates a data processing system incor- 
porating the teachings of the present invention. 

Figure 2 diagrammatically illustrates one possible 
network scheme using the teachings of the invention in 
an Internet environment 

Figure 3 illustrates a flow chart of the steps exe- 
cuted in sending an encrypted data packet from a net- 
work node I to a network node J, in accordance with the 
teachings of the present invention. 

Figure 4 is a flow chart of the steps executed for the 
receipt of encrypted data packets by node J from node I 
in accordance with the teachings of the present inven- 
tion. 

Figure 5 diagrammatically illustrates the transmis- 
sion format of an encrypted datagram. 

Figure 6 diagrammatically illustrates one possible 
network scheme using the teachings of the invention in 
an Internet environment 

Figure 7 is a flow chart illustrating an overview of 
the steps executed in sending an encrypted data packet 
between firewalls over the Internet. 

Figure 8 is a flow chart illustrating an overview of 
the steps executed by a receiving firewall utilizing the 
teachings of the present invention. 

Figure 9 illustrates a flow chart of the steps exe- 
cuted in sending an encrypted data packet from a firewall 
(FWA) to a firewall (FWB) over the Internet, in accord- 
ance with the teachings of the present invention. 

Figure 10 is a flow chart of the steps executed for 
the receipt of encrypted data packets by firewall (FWB) 
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from firewall (FWA) in accordance with the teachings of 
the present invention. 

Figure 11 conceptually illustrates a representative 
transmission packet including an encrypted encapsu- 
lated data packet sent between firewalls over the Internet 
in accordance with the teachings of the present inven- 
tion. 

Hgure 12 diagrammatically illustrates one possible 
network scheme utilizing the teachings of the present 
invention in which a mobile data processing device is 
temporarily coupled for communication to a private net- 
work. 

Fig ure 1 3 is a flow chart illustrating the sequence of 
steps executed by a mobile data processing device with 
a dynamically assigned address. 

Figure 14 is a flow chart illustrating the sequence of 
steps executed by a receiving firewall in the case of a 
mobile I P device utilizing dynamically assigned address- 
ing. 

Figure 15 conceptually illustrates a transmission 
packetand an encrypted encapsulated data packet in the 
case where a mobile data processing device communi- 
cates to distant nodes through firewalls coupled to the 
Internet 

Notation and Nomenclature 

The detailed descriptions which follow are pre- 
sented largely in terms of symbolic representations of 
operations of data processing devices coupled to a net- 
work These process descriptions and representations 
are the means used by those skilled in the data process- 
ing arts to most effectively convey the substance of their 
work to others skilled in the art 

An algorithm is here, and generally, conceived to be 
a serf-consistent sequence of steps leading to a desired 
result. These steps are those requiring physical manip- 
ulations of physical quantities. Usually, though not nec- 
essarily, these quantities may take the form of electrical 
or magnetic signals capable of being stored, transferred, 
combined, compared, displayed and otherwise manipu- 
lated. It proves convenient at times, principally for rea- 
sons of common usage, to refer to these signals as bits, 
values, elements, symbols, operations, messages, 
terms, numbers, or the like. It should be borne in mind, 
however, that all of these similar terms are to be associ- 
ated with the appropriate physical quantities and are 
merely convenient labels applied to these quantities. 

In the present invention, the operations referred to 
are machine operations. Useful machines for performing 
the operations of the present invention include general 
purpose digital computers (referred herein as "nodes"), 
or other similar devices. In all cases, the reader is 
advised to keep in mind the distinction between the 
method operations of operating a computer and the 
method of computation itself. The present invention 
relates to method steps for operating a computer, cou- 
pled to a series of networks, and processing electrical or 



other physical signals to generate other desired physical 
signals. 

The present invention also relates to apparatus for 
performing these operations. This apparatus may be 

5 specially constructed for the required purposes or it may 
comprise a general purpose computer selectively acti- 
vated or reconfigured by a computer program stored in 
the computer. The method/process steps presented 
herein are not inherently related to any particular com- 

ro p uter or other apparatus. Various general purpose 
machines may be used with programs in accordance 
with the teachings herein, or it may prove more conven- 
ient to construct specialized apparatus to perform the 
required method steps. The required structure for a vari- 

15 ety of these machines will be apparent from the descrip- 
tion given below. 

Detailed Description of the Invention 

2Q In the following description, numerous specific 
details are set forth such as system and network config- 
urations, representative data packets, messages, and 
devices, etc., to provide a thorough understanding of the 
present invention. However, it will be apparent to one 

25 skilled in the art that the present invention may be prac- 
ticed without these specific details. In other instances, 
well known circuits and structures are not described in 
detail in order to not obscure thepresent invention. More- 
over, certain terms such as "knows", Verifies", "exam- 

30 ines", "utilizes", "finds", "determines", "challenges", 
"authenticates", etc., are used in this Specification and 
are considered to be terms of art. The use of these terms, 
which to a casual reader may be considered personifi- 
cations of computer or electronic systems, refers to the 

35 functions of the system as having human-lite attributes, 
for simplicity. For example, a reference herein to an elec- 
tronic system as "determining" something is simply a 
shorthand method of describing that the electronic sys- 
tem has been programmed or otherwise modified in 

40 accordance with the teachings herein. The reader is cau- 
tioned not to confuse the functions described with eve- 
ryday human attributes. These functions are machine 
functions in every sense. 

45 Exemplary Hardware 

Figure 1 illustrates a data processing system in 
accordance with the teachings of the present invention. 
Shown is a computer 10, which comprises three major 

so components. The first of these is an input/output (I/O) 
circuit 12 which is used to communicate information in 
appropriately structured form to and from other portions 
of the computer 10. In addition, computer 10 includes a 
central processing (CPU) 1 3 coupled to the I/O circuit 1 2 

ss and a memory 14. These elements are those typically 
found in most general purpose computers and, in fact, 
computer 1 0 is intended to be representative of a broad 
category of data processing devices. Also shown is an 
interface circuit 17 coupled to the I/O circuit 12 for cou- 
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pling the computer 10 to a network, in accordance with 
the teachings herein. The interface circuit 1 7 may include 
encrypting and decrypting circuitry incorporating the 
present invention, or as will be appreciated, the present 
invention may be implemented in software executed by 5 
computer 10. A raster display monitor 16 is shown cou- 
pled to the I/O circuit 12 and issued to display images 
generated by CPU 13 in accordance with the present 
invention. Any well known variety of cathode ray tube 

(CRT) or other type of display may be utilized as display 10 
16. 

Referring now to Figure 2, a simplified diagram con- 
ceptually illustrates the Internet 20 coupled to a private 
network 22, a second private network 26, and a third pri- 
vate network 30. The network topology illustrated in Fig- is 
ure 2 is representative of the existing Internet topology, 
however, it will be noted that the present invention pro- 
vides an improved key management scheme which has 
application for use in networks other than the Internet 

One of the unique aspects of the Internet system is 20 
that messages and data are transmitted through the use 
of datagram packets. In a datagram-based network, 
messages are sent from a source to a destination in a 
similar manner to a government mail system. For exam- 
ple, a source computer may send a datagram packet to ss 
a destination computer regardless of whether or not the 
destination computer is currently on-line and coupled to 
the network. The Internet protocol (IP) is completely ses- 
sion-less, such that IP datagram packets are not associ- 
ated with one another. 30 

In this Specification, the present invention will be 
described with reference to communication between a 
node I coupled to private network 22, and a node J cou- 
pled to the private network 30, as shown in Figure 2. The 
nodes 1 and J represent computers, such as the compu- ss 
ter illustrated in Figure 1 , coupl ed to their respective net- 
works. For simplicity and ease of understanding, an 
operation by, for example, "node I", shall be understood 
to mean an operation by the computer coupled to net- 
work 22. 40 

One way to obtain authenticity and privacy at a dat- 
agram layer like IP is to use RSA public key certificates. 
Traditionally, in the event node I desires to send a data- 
gram to, for example, node J, the node I communicates 
with node J and authenticates itself using a certificate 45 
based key management infrastructure. An example of a 
certificate based infrastructure key management for 
secure Internet e-mail is the Privacy Enhanced Mail 
(PEM) system (see the PEM RFC documents f fled con- 
current with the Application upon which this patent is so 
based, and incorporated herein by reference, entitled 
"Privacy Enhancement for Internet Electronic Mail", 
parts l-IV rfcs 1421-1424, available on the Internet). 

The certificates used by PEM are RSA public key 
certificates. An RSA public key certificate is one which ss 
contains an RSA public key. (See, A.Aziz, W.DHfie, "Pri- 
vacy and Authentication for Wireless LANs", IEEE Per- 
sonal Communications. February 1994; and also, 
W.Diffie, M.Wiener, P.Oorschot, "Authentication and 



Authenticated Key Exchanges".) There are two primary 
ways in which RSA certificates can be used to provide 
authenticity and privacy foradatagram protocol. The first 
way is to use out-of-band establishment of an authenti- 
cated session key, using one of several session key 
establishment protocols. This session key can then be 
used to encrypt IP data traffic. Such a scheme has the 
disadvantage of establishing and maintaining a pseudo 
session state on top of a session-less protocol. The IP 
source must first communicate with the IP destination to 
acquire this session key. In addition, when the session 
key must to be changed to insure security, the IP source 
and the IP destination need to communicate again to 
effectuate the change. Each such communication 
involves the use of a computationally expensive public- 
key operation. This communication requirement is par- 
ticularly ill-suited to a datagram protocol like IP, which 
does not require the receiving computer to be in opera- 
tion to send packets to it, although to establish and 
change negotiated session keys the receiving computer 
must be operational. 

The second way an RSA certificate can be used to 
provide authenticity and privacy in a datagram protocol 
is to complete in-band signalling of the packet encryption 
key, such that the packet encryption key is encrypted in 
the recipients public key. This is the method PEM utilizes 
to accomplish message encryption. Although this avoids 
the session state establishment requirement, and also 
does not require the two parties to communicate to set 
up and change packet encryption keys, this scheme has 
the disadvantage of having to carry the packet encryp- 
tion key encrypted in the recpent's public key in every 
packet. Since an RSA encrypted key would minimally 
need to be 64 bytes, and can be 1 28 bytes, this scheme 
incurs the overhead of 64-128 bytes of keying informa- 
tion in every packet In addition, when the packet encryp- 
tion key changes, a public key operation would need to 
be performed to recover the new packet encryption key. 
Thus, both the protocol and computational overhead of 
such a scheme is high. 

The use of Drffie-Heilman (DH) public-key certifi- 
cates can avoid the pseudo session state establishment, 
and the communications requirement between the two 
communicating computers to acquire and change packet 
encrypting keys (see, W. Diffie, M.Hellman, "New Direc- 
tions in Cryptography", IEEE Transactions on Informa- 
tion Theory). Furthermore, the use of a DH public-key 
certificate does not incur the overhead of carrying 64- 
128 bytes of keying information in every packet and is 
better suited to protocols like IP, since it does not require 
the receiving computer to be operational to establish and 
change packet encrypting keys. 

Use of DH Certificate Based Key-Management for 
Datagram Protocols 

Referring now to the f taw charts illustrated in Fig- 
ures 3 and 4, the present invention's SKIP method uti- 
lizes DH public-key certificates for key management, 
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such that each IP source and destination is provided with 
a Diffie-Hellman pubOc key. This DH pubOo-key is cfistrfo- 
uted in the form of a certificate. The certificate can be 
signed using either an RSA or DSA signature algorithm. 
The certificate is referred to herein as a "D'rff ie-Hellman" 
(DH) certificate, because the public value that is certified 
is a Diffie-Hellman public value. 

H will be appreciated that the present invention's use 
1 of DH certificates to compute a shared key is fundamen- 
tally different than the use of the DH certificate to nego- 
tiate a session toy. for example, as described in the 
paper by Whitfield Drffie, entitled "Authentication and 
Authenticated Key Exchanges" (Wuwer Academic Pub- 
lishers, 1992), because the present invention uses a 
zero-message protocol to compute a shared secret All 
past uses of DH certificates have involved exchanging 
messages between the two communicating parties. 

In accordance with the teachings of the present 
invention, upon initialization each IP source or destina- 
tion computer, for example node I, is provided with a 
secret value i, and computes a public value at mod p. 
Similarly, node J is provided with a secret value j, and 
computes a public value a) mod p. For purposes of illus- 
tration, assume that node I wishes to communicate with 
a node J coupled to private network 30 in Figure 2. Both 
I and J can acquire a shared secret a iJ * mod p without 
having to communicate, as long as the public key of each 
IP node is known to all the other IP nodes. The values a 
and p are system parameters, where p is a prime 
number. It will be appreciated by one skilled in the art 
that local caching of DH certificates can eliminate the 
constant need for a directory service, thereby minimizing 
system overhead. 

The computable shared secret may be used as a 
key-encrypting key to provide for IP packet based 
authentication and encryption. Thus, we denote the 
value J mod p as the "long-term key", and derive from 
it a key Kg. The key Kg is used as the key for a known 
shared-key cryptosystem (SKCS) like DES or RC2. It will 
also be noted that Ky is an implicit pair-wise shared 
secret Kg does not need to be sent in every packet or 
negotiated out-of-band. Simply by examining the source 
of an IP packet, the destination IP node (for example, 
node J) can compute the shared secret Ky. 

The key Kjj is derived from oc^ mod p by using the low 
order key-size bits of c$ mod p. Since mod p is mini- 
mally at least 512 bits (and for greater security may be 
1 024 bits or higher), sufficient bits maybe derived for use 
as Kg which is used as a key for the SKCS. Typically, 
SKCS key sizes are in the range of 40-1 72 bits. 

As illustrated in the flow charts of Figures 3 and 4, 
the SKIP methodology utilizes the key Ky to encrypt a 
"transient key", which is referred to as Kp. The key Kp is 
generated at random to encrypt a configurable number 
of data packets. After the configurable number of data 
packets have been sent, a new Kp is generated at ran- 
dom. The transient key Kp is used to encrypt an IP data 
packet or a collection of IP data packets. The encryption 
using Kp limits the amount of data in the long-term key 



which a potential cracker can access. Since it is desirable 
to retain the long-term key for a relatively long period of 
time (one or two years), the actual IP data traffic is not 
encrypted in key Kg. In the preferred embodiment of the 

5 invention, only the transient keys of the long-term key are 
encrypted using K|, and the transient keys are used to 
encrypt IP data traffic. Thus, the amount of data 
encrypted in the long-term key (Ky) is limited to a rela- 
tively small amount over a long period of time. 

10 The first time the IP source, such as node I, which 
has been provided with the secret value i, communicates 
with the IP node J which has been provided with a secret 
value j, the node I computes the shared secret a? mod 
p. The node I can then cache this shared secret as the 

15 long-term key Ky. The node I then generates a random 
key Kp and encrypts this key using Ky. As illustrated in 
flow chart of Figure 3, the node I encrypts the IP packet 
data in key Kp, and transmits the encrypted IP datagram 
packet and the encrypted key Kp. The outgoing datagram 

20 packet sent by the source node I takes the form illus- 
trated in Figure 5. 

It will be appreciated that to prepare the datagram 
packet illustrated in Figure 5 for transmission on the out- 
bound side of node I, no communication was necessary 

25 with the receiving node J. In adcfition, since Ky is used 
as the key for the SKCS, the length of the encrypted key 
Kp is the block size of a shared-key cipher (typically 8 
bytes), as opposed to theblock sized 'a public-key cpher 
(typically 64-128 bytes), which would have been the case 

30 if RSA certificates had been used in conjunction with in- 
tend signalling of the packet encryption key. 

As shown in Figure 4, when node J receives the dat- 
agram packet the node J also computes the shared 
secret Ky and caches it for later use. Using Ky it obtains 

35 Kp, and using K^it decrypts the encrypted data which it 
then delivers to the appropriate local transport entity, or 
another outbound interface. 

The Message Indicator (Ml) shown in Figure 5 is a 
field that is used to preserve the statelessness of the prc- 

40 tocol of the present invention. If a single key is used to 
encrypt multiple packets, (which is highly desirable since 
changing the key on a per packet basis constitutes sig- 
nificant computational overhead) then the packets need 
to be decryptable regardless of lost or out-of-order pack- 

45 ets. The Ml field serves this purpose. The actual content 
of the Ml field is dependent on the choice of SKCS used 
for Kp and its operating mode. For example, if Kp refers 
to a block cipher (e.g. DES) operating in Cipher-Block- 
Chaining (CBC) mode, then the Mi for the first packet 

so encrypted in key Kp is the Initialization Vector (IV). For 
subsequent packets, the Ml is the last blocksize-bits of 
ciphertext of the last (in transmit order) packet. For DES 
or RC2 this would be 64 bits. For stream ciphers like 
RC4, the Ml is simply the count of bytes that have already 

55 been encrypted in key Kp (and may also be 64 bits). 

If the source node I decides to change the packet 
encryption key Kp, the receiving node J can cfiscover this 
fact without having to perform a public-key operation. 
The receiving node J uses the cached value Ky to decrypt 
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the encrypted packet key Kp, and this is a shared-key 
cryptosystem operation. Thus, without requiring commu- 
nication between transmitting (i) and receiving (J) ends, 
and without necessitating the use of a public-key opera- 
tion, the packet encrypting key can be changed by the 
transmitting side. 

Since DH certificates are used, the nodes i and J 
have no public-key signature algorithm. It will be appre- 
ciated that the lack of a public-key signature algorithm is 
not a major issue, since signing each packet using a pub- 
lic-key cryptosystem is too cumbersome in any case. In 
accordance with the present invention, the integrity of the 
packets is determined in a pairwise fashion using a 
SKCS. 

In order to retain the amount of data encrypted in 
any given key to be less than 232 (assuming a 64-bit block 
cipher) at T1 speeds of 1 .5 M bits/sec, the packet encryp- 
tion key must change roughly every six hours. This 
results in the amount of key material encrypted in the 
long-term key in a year to be roughly 24K bytes, well 
under the 232 m that would necessitate changing the 
long-term key more frequently than once a year. 

It will also be noted that the present invention's key- 
management scheme does not provide for any level of 
playback protection. Most of the existing transport pro- 
tocols deal with playbacks at the datagram layer. For 
example, TCP does sequencing of IP packets. Therefore 
it is not necessary to provide for this functionality at the 
datagram layer. If playback protection is important for a 
given application, then it would be built on top of the 
secure datagram protocol. Since the Kg values need to 
be cached for efficiency, reasonable safeguards need to 
be taken to protect these keys. One possible way to 
accomplish caching is to provide a hardware device to 
compute, store and perform operations using these keys. 
This device can ensure that there are no interfaces to 
extract the key from the device. It is contemplated that 
such a hardware device is incorporated within the CPU 
block 13 illustrated in Figure 1. 

The key management described herein may also be 
used to provide an integrity-only service for later packets. 
In this case, the key Ky can be used directly by either 
node I or node J to encrypt a message digest of the 
packet header or packet header end data. Since the 
message digest is a small amount of information, there 
is no need to send or use the transient key Kp. 

Datagram Multicast Protocols 

The method of the present invention may be used in 
conjunction with datagram multicasting protocols like IP 
(or IPng) multicast However, this will require key-man- 
agement awareness in the establishment and joining 
process of multicast groups. 

It is contemplated that when secure multicasting to 
a multicast address (M) is required, a group membership 
creation primitive wi II establish the secret value, and also 
provide the public valua For a multicast address M, a 
randomly generated secret value m is created by the 



group owner and the public value a™ mod p is computed. 
Also associated with each group address M is a mem- 
bership list of addresses that are allowed to transmit and 
receive encrypted multicast datagrams to and from 

5 group address M. 

The public value is distributed securely to the nodes 
on the public networks 22, 26 and/or 30, (see Figure 2) 
that wish to transmit to multicast address M. This Is 
accomplished by using the pairwise secure datagram 

10 protocol of the present invention described above Thus, 
nodes wishing to transmit to group address M acquire 
the public value a™ mod p from the group owner in a 
secured datagram from the group owner to the transmit* 
ting nodes. The public value a" 1 mod p is distributed in 

15 the form of a certificate that is "signed" (using a SKCS) 
in the long-term pair-wise shared secret This allows the 
group creation primitive to establish lifetimes for the tran- 
sient secret value m and its corresponding public value. 
Nodes wishing to receive encrypted datagrams sent 

20 to multicast address M need to acquire the secret value 
m. This is accomplished by sending the request to join 
primitive to the group owner. If the requesting node's 
address is among those that are part of the group's 
receive membership, then the group owner will send the 

25 secret value m, and the associated public value certifi- 
cate in an encrypted packet, again using the pairwise 
secure protocol of the present invention previously 
described above. 

A transmitting node (for example node I) wishing to 

so send to group address M will use the value a m mod p to 
derive the key Kj m . Transmitting nodes do not need to 
know the secret value m; all they need to know is the 
group public value a m mod p, and knowing their own 
secret value (i), can compute the shared secret a™ mod 

35 p from which they derive K^. The value K^ is then used 
to encrypt the packet encrypting key Kp. Since the receiv- 
ing nodes know the group secret m, and the public value 
oi mod p they can also compute K, m , and thereby decrypt 
the packet 

40 An advantage of the method of the present invention 
is that only the keying information is distributed in a pair- 
wise fashion. The actual encrypted data packet is sent 
using the standard multicast delivery mechanisms, 
thereby allowing the same network bandwidth efficiency 

45 that is expected of a network layer multicast protocol 
when operating over subnetworks which also support 
multicasting (for example, Ethernet, FDDI, etc). Moreo- 
ver, how the identity of the group owner is established 
and communicated to the participating nodes is left to 

so the application layer, although this also needs to be 
accomplished in a secure fashion, otherwise the under- 
lying key-management facility may be defeated. 

The scalability of the present invention's scheme is 
intended to be limited to a moderate number of nodes, 

55 and not an extremely targe number of nodes. However, 
this is not a major limitation, because there is a tradeoff 
between keeping a value secret and having it be widely 
distributed. 
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Management of DH certificates 

Since the nodes* public DH values are communi- 
cated in the form of certificates, the same type of mufti- 
tier certification structure that is being deployed for PEM, s 
and also by the European PASSWORD. There may be a 
Top Level Certifying Authority (TLCA) which may consti- 
tute the same the Internet Policy Registration Authority 
(IPRA), Policy Certifying Authorities (PCAs) at the sec- 
ond tier and the organizational Certificate Authorities 10 
(CAs) below that 

In addition to the identity certificates, which are part 
of PEM, additional authorization certificates are needed 
to properly track the ownership of IP addresses. Since it 
is desirable to directly use IP addresses in the DH cer- 15 
tificates, name subordination principles alone cannot be 
used to determine if a particular C A has the authority to 
bind a particular IP address to a DH public key. However, 
the present invention may use the X.509/PEM certificate 
format since the subject Distinguished Name (DN) in the 20 
certificate can be the ASCI I decimal representation of an 
IP (or IPng) address. 

In as much as the nodes only have DH public keys, 
which have no signature capability, the nodes them- 
selves are unable to issue DH certificates. The node cer- 2$ 
tificates are issued by organizational CAs which have 
jurisdiction over the range of IP addresses that are being 
certified. The PCAs will have to perform suitable checks 
fin line with the policy of that PCA), to confirm that the 
organization which has jurisdiction over a range of so 
addresses is issued a certificate giving it the authority to 
certify the DH values of individual nodes with those 
addresses. This authority may be delegated in the form 
of a authorization certificate signed by the PCA For the 
purposes of authorization, the CA's Distinguished Name ss 
(DN) will be bound to the range of IP addresses over 
which it has jurisdiction. The CA has either an RSA or 
DSA certificate from the PCA The CA which has author- 
ity over a range of IP addresses can delegate authority 
over part of the range to a subordinate CA, by signing 40 
another authorization certificate using its own private 
key. The organizational CA so authorized is identified by 
the range of addresses that it can issue certificates for. 
Hie range of IP addresses are identified in the certificate 
in the form of a IP address prefix. 45 

Application of the Present I nvention to Site Firewalls 

Referring now to Figure 6, the application of SKIP 
to communications between site firewalls will be so 
described. Internet 30 is coupled to a private network 32 
through a "firewall" server (FWA). A firewall" server is a 
computer which couples the computers of a private net- 
work to the Internet 30, and may thus act as a gatekeeper 
for messages and data going to and from the Internet A 55 
second private network 40 is also coupled for communi- 
cation with the Internet 30 through a firewall server 
(FWB). A third private network 36 is coupled through a 
firewall server (FWC)tothe Internet 30. The firewall serv- 



ers are Internet protocol (IP) server computers which do 
not generally run application software, but rather encrypt 
and decrypt datagram traffic sent and received to nodes 
on the private networks overthe Internet 30. The network 
topology illustrated in Figure 6 is representative of one 
Internet topology, however, it will be noted that the 
present invention provides an improved key manage- 
ment scheme which has application for use in networks 
other than the Internet 

In this Specification, the present invention is 
described with reference to communication between fire- 
walls and between nodes. For example, a node I is cou- 
pled to private network 32 through the firewall (FWA). A 
node J coupled to the private network 40 communicates 
over the Internet through the firewall (FWB), as shown 
in Figure 6. The nodes I and J. and the firewalls (FWA) 
and (FWB) represent computers, such as the computer 
illustrated in Figure 1 , coupled to their respective net- 
works. For simplicity and ease of understanding, an 
operation by, for example, "node I" or firewall (FWA), shall 
be understood to mean an operation by the computer 
coupled to network 32. 

Each firewall shown in Figure 6 is configured to 
understand which firewall to send data packets to, given 
a destination IP address. This may be implemented by 
providing the firewalls with a map of all valid IPaddresses 
disposed on its particular private network a at another 
location on the Internet. The map may be in the form of 
prefix matches, up to and including the full IP address. 

Referring now generally to the flowcharts of Figures 
7 and 8, utilizing the map a firewall determines whether 
a data packet is intended for a remote node across the 
public part of the Internet 30, and if that is the case, the 
firewall looks up the corresponding IP address of the 
remote firewall. For example, assume that a node I 
desires to send a data packet to a node J on private net- 
work 40. The firewall FWA first determines that node J 
is coupled to network 40, and that firewall FWB serves 
the network 40. Thai the firewall FWB encapsulates the 
original IP data packet (header and data) and transmits 
the data packet in an encrypted IP packet intended for 
the remote firewall FWB. As will be described, the 
encryption is performed using the SKIP pair-wise packet 
encryption scheme, where the pair is the transmitting 
and receiving firewalls FWA and FWB. The receiving fire- 
wall (FWB) will execute the steps illustrated in Figure 8 
complete the corresponding SKIP decryption. The fire- 
wall FWB understands that it has received a tunneled IP 
packet, and then sends the decrypted data packet in the 
clear through the interior of the private network 40 to the 
node J. 

The rationale of the present invention for performing 
secure tunneling, (encapsulating the entire original IP 
packet), as opposed to simply encrypting the data por- 
tion of the IP packet while leaving the original header 
intact is that the encryption of the entire IP packet pre- 
vents the topology and the number of nodes in the inte- 
rior network to be discovered by a cracker. All a cracker 
can determine is that there are certain number of fire- 
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walls that communicate with each other. No information 
about which nodes in the interior networks are commu- 
nicating on an end-to-end basis, or how many nodes 
exist in the interior of the private networks is divulged to 
outside observers. s 

Referring now to the flow charts illustrated in Fig- 
ures 9 and 10, the SKIP protocol is described utilizing 
DH public-key certificates for key management such 
that each IP source and destination firewall is provided 
with a Diffie-Hellman public key. 10 

The reader is referred to the flow charts of Rgures 
9 and 10, for the detailed steps executed by the sending 
and receiving firewalls, and to the more general overview 
flow charts of Rgures 7 and 8. In this Specification, for 
purposes of illustration, the present invention is is 
described with reference to node I sending a datagram 
packet to node J, shown in Rgure 6. It will be appreciated 
that the selection of node I as a source node and node 
J as a receiving node is arbitrary. In actuality, both nodes 
can send and receive datagrams, and there are many 20 
nodes coupled to numerous private networks in commu- 
nication over the Internet 30. 

The present invention begins with the source node 
I sending a datagram in unencrypted form over private 
network 32 to the firewall FWA. Upon initialization IP 25 
source firewall FWA is provided with a secret value a, 
and computes a public value ct 8 mod p. Similarly, firewall 
FWB is provided with a secret value b, and computes a 
public value c£ mod p. For purposes of illustration, 
assume that node I wishes to communicate with a node so 
J coupled to private network 40. As previously described 
with reference to Rgures 3 and 4 (where corre- 
sponds to Kg), K^ need not be sent in every packet or 
negotiated out-of-band. Simply by examining the source 
of an IP packet, the destination IP firewall (for example. 35 
FWA) can compute the shared secret K^. The key K^ 
is derived from mod p by using the low order key- 
size bits of a** mod p. 

As illustrated in the flow charts of Rgures 9 and 1 0, 
the SKIP protocol then utilizes the key to encrypt a 40 
"transient key" which is referred to as Kp. The transient 
key Kp is a randomly generated value which is configura- 
ble for use with a predefined number of bytes. Once the 
key Kp has been used for the predefined number of bytes, 
the key Kp is changed to enhance security. The 45 
encrypted transient key Kp is used to encrypt the 
received data packet from node I, or a collection of IP 
data packets. The encryption using Kp limits the amount 
of data in the long-term key which a potential cracker can 
access. In the preferred embodiment of the invention, so 
only the transient keys of the long-term key are 
encrypted using K^ and the transient keys are used to 
encrypt IP data traffic. 

The first time the IP firewall, such as firewall FWA, 
which has been provided with the secret value a. com- ss 
municates with the firewall FWB which has been pro- 
vided with a secret value b. the firewall FWA computes 
the shared secret at* mod p. The firewall FWA can then 
cache this shared secret as the long-term key K^ FWA 



then generates a random key Kp and encrypts this key 
using K^ As illustrated in flow chart of Rgure 7, FWA 
encrypts the IP packet in key Kp including the original IP 
header and data. The f irewall FWA then encapsulates 
the encrypted IP packet in a transmission packet of the 
form illustrated in Rgure 11 . The outer IP healer of the 
transmission packet specifies the protocol type for the 
contents of the outer header. The firewall FWA then 
transmits the transmission packet over the Internet 30 to 
the receiving firewall FWB. 

It will be appreciated that to prepare the transmis- 
sion packet illustrated in Rgure 11 for transmission on 
the outbound side of FWA. no communication was nec- 
essary with the receiving firewall FWB. In addition, since 
K^ & used as the key for the SKCS, the length of the 
encrypted key Kp is the block size of a shared-key cipher 
(typically 8 bytes), as opposed to the block size of a pub- 
lic-key cipher (typically 64-128 bytes), which would have 
been the case if RSA certificates had been used In con- 
junction with in-band signalling of the packet encryption 
key. 

As shown in Rgure 1 0, when firewall FWB receives 
the transmission packet, FWB also computes the shared 
secret K^ and caches it for later use. Using K^ it obtains 
Kp. Firewall FWB removes the encrypted data packet 
from the transmission packet and decrypts the encrypted 
data, which it then delivers to the appropriate local trans- 
port entity in private network 30 for delivery to node J. 

If the firewall FWA decides to change the packet 
encryption key Kp, the receiving firewall FWB can dis- 
cover this fact without having to perform a public-key 
operation. The receiving firewall FWB uses the cached 
value Kab to decrypt the encrypted packet key Kp, and 
this is a shared-key cryptosystem operation. Thus, with- 
out requiring communication between transmitting 
(FWA) and receiving (FWB) ends, and without necessi- 
tating the use of a public-key operation, the packet 
encrypting key can be changed by the transmitting side. 

The firewalls FWA and FWB have no public-key sig- 
nature algorithm. It will be appreciated that the lack of a 
public-key signature algorithm is not a major issue, since 
signing each packet using a public-key cryptosystem is 
too cumbersome in any case. In accordance with the 
present invention, the integrity of the packets is deter- 
mined in a pair-wise fashion using a SKCS. 

Since the K^ values need to be cached for effi- 
ciency, reasonable safeguards need to be taken to pro- 
tect these keys. One possible way to accomplish caching 
is to provide a hardware device to compute, store and 
perform operations using these keys. This device can 
ensure that there are no interfaces to extract the key from 
the device, ft is contemplated that such a hardware 
device may be incorporated within the CPU block 13 
illustrated in Rgure 1. 

In as much as the firewalls only have DH public keys, 
which have no signature capability, the firewalls them- 
selves are unable to issue DH certificates. The firewall 
certificates are issued by organizational C As which have 
jurisdiction over the range of IP addresses that are being 
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certified. The PCAs will have to perform suitable checks 
(in line with the policy of that PCA), to confirm that the 
organization which has jurisdiction over a range of 
addresses is issued a certificate giving it the authority to 
certify the DH values of individual firewalls with those 5 
addresses. This authority may be delegated in the form 
of a authorization certificate signed by the PCA. For the 
purposes of authorization, the CA's Distinguished Name 
(ON) will be bound to the range of IP addresses over 
which it has jurisdiction. The CA has either an RSA or 10 
DSA certificate from the PCA. The CA which has author- 
ity over a range of IP addresses can delegate authority 
over part of the range to a subordinate CA, by signing 
another authorization certificate using Hs own private 
key. The organizational C A so authorized is identified by 75 
the range of addresses that it can issue certificates for. 
The range of IP addresses are identified in the certificate 
in the form of a IP address prefix. 

However, since only the firewall machines partici- 
pate in the key management protocol this embodiment 20 
of the present invention, there is a relatively small 
number of certificates that need to be managed. This is 
an advantage over the basic SKIP protocol as described 
previously in this Specification. For an organization sim- 
ply communicating with its various subsidiaries over the 2s 
Internet 30, the DH certificates may be signed by a few 
Certification Authorities (CAs) operated by the various 
sites. There can be as few as one CA per site for this 
purpose, or even one CAfor the entire collection of sites. 

30 

User Authentication 

The application of the present invention to site fire- 
walls is also described with reference to remote user 
authentication. The first remote user authentication 35 
application described herein is for the case where a user 
has a known IP address (and hence an assignable DH 
certificate). For example, when a user connects to an 
application or transport layer relay at a firewall machine, 
such as FWA, the appl ication or transport layer relay ere- 40 
ates an unsecured connection to the interior of the pri- 
vate network 32. The relay performs the user 
authentication. If we assume that the application sup- 
ports password based authentication, which is true for 
most of the existing applications such as ftp, telnet, etc., 45 
then layering the password on top of an encrypted dat- 
agram substrate provides for strong user authentication, 
as described more fully below. 

In accordance with the present invention, the login 
prompt is allowed to contain a randomly generated so 
alphanumeric string. This random string is displayed in 
the dear to the user. The user enters the string in the 
password field, as well as his/her long-term password. 
The receiving computer checks to see if the string is 
properly present in the password field, and obtains the ss 
rest of the user password. This password is then checked 
using the regular password verification mechanism. 

The present invention's authentication scheme has 
the following advantages. The password is only sent 



encrypted over the Internet, since it is going in an un- 
encrypted datagram from the remote node (I) to the fire- 
wall machine (FWA). By providing a random string in the 
login prompt, the user must enter a new string along with 
his/her password on every log-in attempt This require- 
ment effectively eliminates the possibility of encrypted 
datagram playback attacks. The password is used to pro- 
vide user authentication, so even if a properly configured 
IP host is acquired by an intruder, the intruder cannot 
connect to a firewall machine without first entering a valid 
password. 

It will be appreciated that the client application is 
simply given a login prompt, and the user is then asked 
to provide a response, similar to the client applications 
currently in placa This feature is a major advantage over 
the prior art because by acting on the IP layer, the exist- 
ing applications can automatically benefit, without hav- 
ing to modify software on a per client application basis. 
Furthermore, since all the IP packets are encrypted over 
the Internet a variety of attacks, both passive and active 
are prevented, providing for a very high level of security, 
without necessitating modifications to the existing myr- 
iad client applications. Since the present invention is exe- 
cuted by firewalls, the only computers that need to 
implement the IP layer key-management scheme are the 
firewall machines. All the interior machines, such as 
nodes I and J in Figure 6. may continue to run the exist- 
ing software. 

Remote User Operating with Dynamically Assigned 
IP Address 

Referring nowtoFlgures 12through 15, thepresent 
invention will be described with reference to the case 
where IP addresses are dynamically assigned. In the 
previous section, it was assumed that the user was uti- 
lizing a known IP address. In other words, the IP address 
and its corresponding DH certificate can be made known 
to a particular firewall machine in advance. This would 
be the case if the user's computer uses a remote dial-up 
style link, or some other fixed topology scenaria This 
would also be the case if the user's computer uses one 
of the several mobile IP protocols which allow the 
machine to move around, and yet retain its IP address. 
(See, copending patent application entitled "A Scalable 
and Efficient Intra-Domain Tunneling Mobile-IP 
Scheme", Serial Number 08/128,838. filed September 
29, 1993, and assigned to the Assignee of this patent. 
Sun Microsystems, Inc.). 

However, if the user is carrying a portable computer 
and connects to a public network facility where the com- 
puter is dynamically assigned an IP address using a pro- 
tocol such as the Dynamic Host Configuration Protocol 
(DHCP), the user's IP address is not known. In such 
event the present invention utilizes a tunneling scheme 
in which instead of having cryptographic credentials 
associated with the outer IP address, the cryptographic 
credentials are associated with the inner IP address. 
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Referring now to Figure 1 2, there is shown an illus- 
tration of a mobile computer 49 ("mobBe") having a long 
term IP address M, coupled to a network 50 at a tempo- 
rary IP address lP d . As illustrated, the network 50 is cou- 
pled to communicate over the Internet 30 through a 5 
firewall (FWX). Moreover, a second private network 52 
is coupled to Internet 30 through a firewall (FWY). 
Assume, for purposes of explanation, that the mobile 
machine wishes to communicate with node R on the net- 
work52, using the teachings of the present invention pre- 10 
viously described with reference to Figures 7 through 
11. 

As shown in Figure 13, the mobile computer 49 pre- 
pares an outgoing (unencrypted) data packet as if the 
source IP address was the long-term IP address M, and is 
so is configurable for cryptographic credentials and 
remote access. The remote machine 49 sends this data 
packet to the firewall FWA over network 50. 

As provided in Figure 14, the firewall FWX receives 
the data packet and encrypts the IP data using the SKIP 20 
method described with reference to Figures 7 through 
11. The encrypted IP packet is encapsulated in a trans- 
mission packet using the source IP address as the 
dynamically assigned IP d address. The destination 
address is the address of the destination firewall (FWY). 25 
The form of the transmission packet and the encrypted 
encapsulated data packet is illustrated in Figure 1 5. Both 
the outer and inner IP header specifies an appropriate 
protocol type field for proper encapsulation and encryp- 
tion processing. As provided in the flow chart of Figure so 
14, thef irewall FWY receives the encapsulated IP packet 
and decrypts it using the SKIP scheme. The firewall FWY 
passes the decrypted data packet to the local transport 
entity of private network 52 in the clear to the destination 
nodeR. 35 

The firewall FWY performs the same type of tun- 
neling to send a data packet back to the mobile computer 
49 with the dynamically assigned address. As will be 
appreciated, the node R first prepares an IP data packet 
intended for the long-term IP address (M). and forwards 40 
this packet to firewall FWY. The firewall FWY encrypts 
the data packet using SKIP, and encapsulates the data 
packet into a transmission packet intended for the tran- 
sient dynamically assigned IP address (IPd). The tran- 
sient mapping between the long-term IP address (M) and 45 
the short term IP address (IPJ by the firewall FWY lasts 
for the duration of the TCP connection that caused this 
binding. 

Since in this Specification it is assumed there exists 
transport or application layer relaying, only the firewall so 
FWY must be capable of handling this kind of tunneling. 
Moreover, the present invention may operate in the 
absence of firewall application or transport layer relaying, 
as long as the end machines implement the present 
invention's protocol. 55 

Although the present invention has been described 
with reference to a few exemplary Figures 1-15. it will 
be apparent that many alternatives, modifications and 



variations may be made in light of the foregoing descrip- 
tion. 

Claims 

1. An improved method for a first data processing 
device (node I) to send data to a second data 
processing device (node J), comprising the steps of: 

providing an element for performing the step 
of providing a secret value i, and a public value ol 
mod p to said node I; 

providing an element for performing the step 
of providing a secret value j, and a public value <J 
mod p to said node J; 

said node I including an element for perform- 
ing the steps of: 

obtaining a Diff ie-Helman (DH) certificate for 
node J and determining said public value at mod p 
from said DH certificate; 

computing the value of a? mod p, said node I 
further deriving a key Kg from said value 0$ mod p; 

utilizing said key Kg to encrypt a randomly 
generated transient key Kp, and encrypting a data 
packet to be transmitted to node J using said key Kp: 
providing an element for performing the step 
of said node I sending said data packet encrypted 
using said key Kp to said node J. 

2. The method as defined by claim 1, further com- 
prising the steps by said node J of: 

providing an element for performing the step 
of receiving said data packet from node I; 

providing an element for performing the step 
of obtaining a DH certificate for said node I and 
determining said public value at mod p from said DH 
certificate; 

providing an element for performing the step 
of computing the value of a 5 mod p, said node J fur- 
ther deriving said key Kjj from said value mod p; 

providing an element for performing the step 
of utilizing said key Kp to decrypt the transient key 
Kp, and decrypting said received data packet using 
said transient key Kp; 

whereby node J decrypts data received and 
previously encrypted by node I. 

3. The method as defined by claim 2, wherein said 
key Kg is derived from afl mod p using low order bits 
of a'* mod p. 

4. The method as defined by claim 3, wherein the 
key Kjj is an implicit pair wise secret used as a key 
for a shared key cryptosystem (SKCS). 

5. The method as defined by claim 4, wherein said 
SKCSisDES. 

6. The method as defined by claim 5, wherein said 
SKCS is RC2. 

7. The method as defined by daim 4, wherein said 
data packet includes a source address, a destination 
address and in SKCS identifier field. 
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8. The method as defined by claim 7, wherein said 
data packet further includes a message indicator 
field. 

9. The method as defined by claim 4, wherein a and 

p are system parameters, and where p is a prime s 
number. 

10. An apparatus for encrypting data for transmis- 
sion from a first data processing device (node 0 to 
a second data processing device (node J), compris- 
ing: 10 

node I including a first storage device for stor- 
ing a secret value i, and a public value al mod p; 

node J inducing a second storage device for 
storing a secret value j, and a public value ci mod p; 

node I including an encrypting device for is 
encrypting a data packet to be transmitted to node 
J, said data packet being encrypted using a first Dif- 
fie-Heiman (DH) certificate for node J to determine 
said public value ai mod p; 

said encrypting device further computing the 20 
value of a r * mod p and deriving a key Ky from said 
value a j j mod p; 

said encrypting device encrypting a randomly 
generated transient key Kp from Kg, and encrypting 
said data packet using said transient key Kp*, 25 

node I further including an interface circuit for 
transmitting said encrypted data packet to said node 
J. 

11. The apparatus as defined by claim 10, wherein 
said node J further includes: so 

a receiver for receiving said encrypted data 
packet from node I; 

a decrypting device coupled to said receiver 
for decrypting said data packet from node I. 

1 2. The apparatus as defined by claim 1 1 , wherein ss 
said decrypting device obtains a second DH certifi- 
cate for said node I and determines said public value 

al mod p, and computes the value of c$ mod p. said 
decrypting device further deriving said key Kg from 
cc? mod p. 40 

1 3. The apparatus as defined by claim 1 2, wherein 
said decrypting device utilizes said key Kg to decrypt 
said transient key Kp, and decrypts said received 
data packet using said transient key Kp. 

14. The apparatus as defined by claim 13, wherein 45 
said key Kq is derived from ofi mod p using low order 
bits of c$ mod p. 

15. The apparatus as defined by claim 14, wherein 
said key Kg is an implicit pair wise secret used as a 
key for a shared key cryptosystem (SKCS). so 

16. The apparatus as defined by claim 15, wherein 
said data packet includes a source address, a des- 
tination address and an SKCS identifier field. 

17. The apparatus as defined by claim 16, wherein 
said data packet further includes a message indica- 55 
tor field. 

18. The apparatus as defined by claim 17, wherein 
a and p are system parameters, and where p is a 
prime number. 



19. The apparatus as defined by claim 15, wherein 
said SKCS is DES. 

20. The apparatus as defined by claim 15, where 
said SKCS is RC2. 

21. In a network including a first data processing 
device (node I) coupled to a first firewall server 
(FWA) and a second data processing device (node 
J) coupled to a second firewall server (FWB), said 
first and second firewall servers disposed between 
said respective nodes I and J and said network, an 
improved method for sending data from said node I 
to said node J, comprising the steps of: 

providing an element for performing the step 
of said node I sending a data packet, including data 
and a destination address for node J, to said FWA; 

providing an element for performing the step 
of providing a secret value a, and a public value or 9 
mod p to said FWA; 

providing an element for performing the step 
of providing a secret value b, and a public value 0^ 
modptosaid FWB; 
said FWA performing the steps of: 

adapting FWA for obtaining a Diffie-Hellman 
(DH) certificate for FWB and determining said public 
value of* mod p from said DH certificate; 

said firewall FWA corrputing the value of or 95 
mod p, said FWAfurtherderiving a key K^ from said 
value cc** 5 mod p; 

said firewall FWA utilizing said key K^ to 
encrypt a randomly generated transient key Kp, and 
encrypting said data packet to be transmitted to 
FWB using said key Kp, said encrypted data packet 
being encapsulated in a transmission packet includ- 
ing an unencrypted destination address for FWB; 

said FWA sending said transmission packet 
to said FWB. 

22. The method as defined by claim 2 1 , further com- 
prising the steps by said FWB of: 

providing an element for performing the step 
of receiving said transmission packet from FWA and 
decapsulating said data packet from said transmis- 
sion packet; 

providing an element for performing the step 
of obtaining a DH certificate for said FWA and deter- 
mining said public value a* mod p from said DH cer- 
tificate; 

providing an element for performing the step 
of computing the value of mod p, said FWB fur- 
ther deriving said key from said value of* mod 

p; 

providing an element for performing the step 
of utilizing said key K^ to decrypt said transient key 
Kp, and decrypting said received encrypted data 
packet using said transient key Kp; 

providing an element for performing the step 
of sending said decrypted data packet to said node 
J; 

whereby FWB decrypts data received and 
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previously encrypted by FWA, and sends said 
decrypted data to said node J. 

23. The method as defined by claim 22, wherein said 
FWB sends said received data packet to said node 

J using said decrypted destination address in said s 
decrypted data packet. 

24. The method as defined by claim 24, wherein said 
toy is derived from a* 5 mod p using low order 
bits of mod p. 

25. The method as defined by claim 24, wherein the 10 
key is an implicit pair wise secret used as a key 

for a shared key cryptosystem (SKCS). 

26. The method as defined by claim 25, wherein a 
and p are system parameters, and where p is a 
prime number. is 

27. The method as defined by claim 26, wherein said 
transmission packet further includes a source 
address identifying the source of said transmission 
packet as FWA, and an SKCS identifier field 

28. A network including a first data processing 20 
device (node I) coupled to a first firewall server 
(FWA) and a second data processing device (node 

J) coupled to a second firewall server (FWB), said 
first and second firewall servers disposed between 
said respective nodes I and J and said network, 25 
comprising: 

node I including a transmission device for 
sending a data packet having data and a destination 
address for node J, to said FWA; 

FWA including a first storage device for stor- so 
ing a secret value a, and a public value a® mod p; 

FWB including a second storage device for 
storing a secret value b, and a public value a* mod 

p; 

FWA including an encrypting device for ss 
encrypting said data packet to be transmitted to 
FWB, said data packet being encrypted by using a 
first Diff ie-Hellman (DH) certificate for FWB to deter- 
mine said public value a* mod p, and 

said encrypting device further computing the 40 
value of a** mod p and deriving a key K^ from said 
value a 8 * mod p; 

said encrypting device encrypting a randomly 
generated transient key Kp from and encrypting 
said data packet using said transient key K^ 4s 

said encrypted data packet being encapsu- 
lated in a transmission packet said transmission 
packet including an unencrypted destination 
address for FWB; 

FWA further inclucfing an interface circuit for so 
transmitting said transmission packet to said FWB 
over said network. 

29. The network as defined by claim 28. wherein 
said FWB further includes: 

a receiver for receiving said transmission ss 
packet from FWA and decapsulating said data 
packet from said transmission packet; and 

a decrypting device coupled to said receiver 
for decrypting said data packet 



3a The network as defined by claim 29. wherein 
said decrypting device obtains a second DH certifi- 
cate for said FWA and determines said public value 
a? mod p f and computes the value of a®** mod p, said 
decrypting device further deriving said key from 
o^modp. 

31. The network as defined by claim 30, wherein 
said decrypting device utilizes said key to 
decrypt said transient key Kp, and decrypts said data 
packet using said transient key Kp. 

32. The network as defined by claim 31, wherein 
said key is derived from a 85 mod p using low 
order bits of a* 6 mod p. 

33. The network as defined by claim 32, wherein 
said key K^ is an implicit pair wise secret used as 
a key for a shared key cryptosystem (SKCS). 

34. The network as defined by claim 33, wherein a 
and p are system parameters, and where p is a 
prime number. 

35. In a network including a mobile data processing 
device (device M) having a long term address M and 
a temporary address IP d , said device M coupled to 
a first firewall server (FWX), and a second data 
processing device (device R) coupled to a second 
firewall server (FWY), said first and second firewall 
servers disposed between said respective devices 
M and R, an improved method for sending data from 
said device M to said device R, comprising the steps 
of: 

said device M sending a data packet includ- 
ing data, adestination address for device R, and said 
long term address M to said firewall FWX; 

providing a secret value x, and a public value 
o^modptosaid FWX; 

providing a secret value y, and a public value 
aX mod p to said FWY; 
said FWX performing the steps of: 

obtaining a Diffie-Hellman (DH) certificate for 
FWY and determining said public value aY mod p 
from said DH certificate; 

computing the value of a** mod p, said FWX 
further deriving a key Kxy from said value a** mod 
p: 

utilizing said key K^ to encrypt a randomly 
generated transient key Kp, and encrypting said data 
packet to be transmitted to FWY using said key Kp, 

said encrypted data packet being encapsu- 
lated in a transmission packet inclucfing an unen- 
crypted destination address for FWY and said 
temporary address IP d as a source address; 

said FWX sending said transmission packet 
to said FWY. 

35. The method as defined by claim 35. further com- 
prising the steps by said FWY of: 

receiving said transmission packet from FWX 
and decapsulating said data packet from said trans- 
mission packet; 

obtaining a DH certificate for said FWX and 
determining said public value a* mod p from said DH 
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certificate; 

computing the value of oP mod p, said FWY 
further deriving said key K^ from said value a** mod 

p; 

utilizing said key Kxy to decrypt said transient 5 
key Kp, and decrypting said received encrypted data 
packet using said transient key Kp; 

sending said decrypted data packet to said 
device R; 

whereby FWY decrypts data received and 10 
previously encrypted by FWX, and sends said 
decrypted data to said device R. 

37. The method as defined by claim 36, wherein said 
key Kyy is derived from a** mod p using low order 
bits of a** mod p. is 

38. The method as defined by claim 37, wherein the 
key Kxy is an implicit pair wise secret used as a key 
for a shared key cryptosystem (SKCS). 

39. The method as defined by claim 38. wherein a 
and p are system parameters, and where p is a 20 
prime number. 

40. A network including a mobile data processing 
device (device M) having a long term address M and 
a temporary address on said network IP d , said 
device M coupled to a first firewall server (FWX) and 25 
a second data processing device (device R) coupled 

to a second firewall server (FWY), said first and sec- 
ond firewall servers disposed between said respec- 
tive devices M and R, comprising: 

device M including a transmission device for so 
sending a data packet including data, and a desti- 
nation address for device R, and said long term 
address M to said firewall FWX; 

FWX including a first storage device for stor- 
ing a secret value x, and a public value a* mod p; 35 

FWY including a second storage device for 
storing a secret value y, and a public value a y mod 

p; 

FWX including an encrypting device for 
encrypting said data packet to be transmitted to 40 
FWY, said data packet being encrypted by using a 
first Diffie-Hellman (DH) certificate for FWY to deter- 
mine said public value a y mod p, and said encrypting 
device further 

computing the value of mod p and deriv- 45 
ing a key from sad value mod p; 

said encrypting device encrypting a randomly 
generated transient key Kp and encrypting said data 
packet using said transient key Kp; 

said encrypted data packet being encapsu- so 
lated in a transmission packet, including an unen- 
crypted destination address for FWY and said 
temporary address IP d as a source address; 

FWX further including an interface circuit for 
transmitting said transmission packet to said FWY 55 
over said network. 

41. The network as defined by claim 40, wherein 
said FWY further includes: 

• a receiver for receiving said transmission 



packet from FWX and decapsulating said data 
packet from said transmission packet; 

a decrypting device coupled to said receiver 
for decrypting said data packet. 

42. The network as defined by claim 41, wherein 
said decrypting device obtains a second DH certifi- 
cate for said FWX and determines said public value 
a* mod p, and computes the value of cc** mod p, said 
decrypting device further deriving said key K^ from 
a** mod p. 

43. The network as defined by claim 41, wherein 
said decrypting device utilizes said key K^ to 
decrypt said transient key Kp, and decrypts said data 
packet using said transient key Kp. 

44. The network as defined by claim 41, wherein 
said key Kxy is derived from mod p using low 
order bits of a** mod p. 
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